Start learning with our library of video tutorials taught by experts. Get started
Viewers: in countries Watching now:
This course explains how to secure self-hosted WordPress sites, including site configuration, code modification, and the use of free plug-ins. Beginning with the basics of site security, author Jeff Starr explains how to harden a WordPress site by configuring authentication keys, setting proper file permissions, and removing version numbers. The course shows how to implement a firewall, prevent automated spam, and control proxy access, and concludes with a series of advanced tips and site security best practices.
In this screencast, we increase the security of your WordPress installation by disabling directory views. Many hosts disable directory views on their servers by default, but it's important to know for sure. If your files are visible, there are a couple of easy effective ways to lock things down. An open listing of your files such as this one maybe the first thing a hacker sees before ultimately destroying your web site. When directory views are enabled, any directory that does not include some sort of an index file, such as an index.html file, will openly display a list of all files in the directory, as seen here.
Obviously, this is a huge security risk. If malicious individuals were to gain access to your WordPress configuration file, for example, they could easily access your database and steal sensitive data, destroy your entire site, and make your life miserable in general. Fortunately, disabling directory views is drop-dead easy. Simply open the root htaccess file for your site and add the following line, "Options -Indexes" with the correct casing--that is important--and put it preferably near the top of the file. It will work anywhere though.
We save the file and upload to the server. Now let's return to that open directory listing on the web. Let's hit Refresh. Excellent! We see the files no longer listed. This greatly improves the security of our site. If htaccess is not an option, you may prevent directory listings by simply adding a blank index.html file to any directory that doesn't already include one. Before doing so, let's reset our example directory by re-enabling file listings.
Once again file listings are enabled. So let's return to the FTP/file editor and upload our index.html file, which contains some simple code. Once that file has been uploaded, return to the browser, and reload the page, to see that our index file is in place and working and preventing open directory listings. The index.html file can be completely blank, but it may also contain any sort of markup desired.
In this example HTML file, I've included some basic markup to help demonstrate the technique. While most versions of WordPress include such faux index files by default for certain directories, there are still many subdirectories that should be protected. This is where the htaccess method is going to save time. But in the event that htaccess is not available to you, simply adding an index file to any open directory will work just as well. In this screencast, we've improved security by disabling directory listings.
Without this protection, you're taking an unnecessary risk. Using either htaccess or the blank file method, it's best to play it safe and lock things down.
There are currently no FAQs about WordPress 3: Developing Secure Sites.
Access exercise files from a button right under the course name.
Search within course videos and transcripts, and jump right to the results.
Remove icons showing you already watched videos if you want to start over.
Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.
Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.